NTLM hash with russian charset

[philsmd]

So basically this string is hashed with md4:

Code:

$HEX[3d0444043c0444044b04340449043c044304]

You can also test it like this (attention with -m 900 instead of -m 1000):

Code:

$ hex2bin 3d0444043c0444044b04340449043c044304 > dict.txt
$ ./oclHashcat64.bin --quiet -m 900 801e1482cfedbaa88812cdb106afa7a7 dict.txt
801e1482cfedbaa88812cdb106afa7a7:$HEX[3d0444043c0444044b04340449043c044304]

Note: instead of hex2bin you could just use

Code:

echo 3d0444043c0444044b04340449043c044304 | xxd -p -r

if you want.

The reason for the missed crack can be easily seen here.
This is how oclHashcat tries to crack it (oclHashcat doesn't mess with encoding!):

Code:

$ perl -e 'use Encode; use Digest::MD4 q (md4_hex); print md4_hex (encode ("UTF-16LE", pack ("H*", "EDF4ECF4FBE4F9ECF3"))) . "\n";'
83d1adcd5f3557b0ea7cb88c23e78acf
$ hex2bin EDF4ECF4FBE4F9ECF3 > dict.txt
$ ./oclHashcat64.bin --quiet -m 1000 83d1adcd5f3557b0ea7cb88c23e78acf dict.txt
83d1adcd5f3557b0ea7cb88c23e78acf:$HEX[edf4ecf4fbe4f9ecf3]

But this is how the ntlm algorithm works (encoding is important):

Code:

$ perl -e 'use Encode; use Digest::MD4 q (md4_hex); use encoding 'cp1251'; print md4_hex (encode ("UTF-16LE", pack ("H*", "EDF
4ECF4FBE4F9ECF3"))) . "\n";'
801e1482cfedbaa88812cdb106afa7a7

The most important part is the "use encoding 'cp1251'". But as said, oclHashcat doesn't care about encoding and does not fully support utf-16 as mentioned (amongst others) here: https://hashcat.net/forum/thread-3729.html - the suggested feature request by atom was "No new algorithm, add true support for utf-16".